What happens to your personal data when you board a plane, open a bank account, or share photos online? How is this data used and by whom? How do you permanently delete profile information on social networking websites? Can you transfer your contacts and photos to another service? Controlling your information, having access to your data, being able to modify or delete it – these are essential rights that have to be guaranteed in today's digital world. To address these issues, the European Commission today set out a strategy on how to protect individuals' data in all policy areas, including law enforcement, while reducing red tape for business and guaranteeing the free circulation of data within the EU. This policy review will be used by the Commission with the results of a public consultation to revise the EU’s 1995 Data Protection Directive. The Commission will then propose legislation in 2011.

"The protection of personal data is a fundamental right," said Vice-President Viviane Reding, EU Commissioner for Justice, Fundamental Rights and Citizenship. "To guarantee this right, we need clear and consistent data protection rules. We also need to bring our laws up to date with the challenges raised by new technologies and globalisation. The Commission will put forward legislation next year to strengthen individuals' rights while also removing red tape to ensure the free flow of data within the EU’s Single Market."

Today's strategy sets out proposals on how to modernise the EU framework for data protection rules through a series of key goals:

Strengthening individuals' rights so that the collection and use of personal data is limited to the minimum necessary. Individuals should also be clearly informed in a transparent way on how, why, by whom, and for how long their data is collected and used. People should be able to give their informed consent to the processing of their personal data, for example when surfing online, and should have the "right to be forgotten" when their data is no longer needed or they want their data to be deleted.

Enhancing the Single Market dimension by reducing the administrative burden on companies and ensuring a true level-playing field. Current differences in implementing EU data protection rules and a lack of clarity about which country's rules apply harm the free flow of personal data within the EU and raise costs.

Revising data protection rules in the area of police and criminal justiceso that individuals' personal data is also protected in these areas. Under the Lisbon Treaty, the EU now has the possibility to lay down comprehensive and coherent rules on data protection for all sectors, including police and criminal justice. Naturally, the specificities and needs of these sectors will be taken into account. Under the review, data retained for law enforcement purposes should also be covered by the new legislative framework. The Commission is also reviewing the 2006 Data Retention Directive, under which companies are required to store communication traffic data for a period of between six months and two years.

Ensuring high levels of protection for data transferred outside the EU by improving and streamlining procedures for international data transfers. The EU should strive for the same levels of protection in cooperation with third countries and promote high standards for data protection at a global level.

More effective enforcement of the rules, by strengthening and further harmonising therole and powers of Data Protection Authorities. Improved cooperation and coordination is also strongly needed to ensure a more consistent application of data protection rules across the Single Market.

The way forward

The Commission's policy review will serve as a basis for further discussion and assessment. The Commission is calling on all stakeholders and the public to comment on the review's proposals until 15 January 2011. Submissions can be made on the Commission’s public consultation web site:

Building on this, the Commission will present proposals for a new general data protection legal framework in 2011, which will then need to be negotiated and adopted by the European Parliament and the Council.

In addition, the Commission will examine other measures, such as encouraging awareness-raising campaigns on data protection rights and possible self-regulation initiatives by industry.

Background

EU data protection rules (the 1995 Data Protection Directive95/46/EC) aim to protect the fundamental rights and freedoms of natural persons, and in particular the right to data protection, as well as the free flow of data. This general Data Protection Directive has been complemented by other legal instruments, such as the e-Privacy Directive for the communications sector. There are also specific rules for the protection of personal data in police and judicial cooperation in criminal matters (Framework Decision 2008/977/JHA).

The right to the protection of personal data is explicitly recognised in Article 8 of the EU's Charter of Fundamental Rights and in the Lisbon Treaty. The Treaty provides the legal basis for rules on data protection for all activities within the scope of EU law under Article 16.

In 2009, the Commission launched a review of the current legal framework on data protection, starting with a high-level conference in May 2009, followed by a public consultation running until the end of 2009. Targeted stakeholders consultations were organised throughout 2010. In January 2010, Vice-President Viviane Reding announced the Commission's intention to modernise EU data privacy rules in a speech on Data Protection Day (see IP/10/63 and SPEECH/10/441) in her previous role as Information Society Commissioner. Today’s Communication was produced in agreement with Neelie Kroes, EU Commissioner in charge of the Digital Agenda.